Ghidra: How to create pseudo-functions for instructions?

Created on 21 Mar 2019 · 4Comments · Source: NationalSecurityAgency/ghidra

A lot of instructions translate to a pseudo C function, such as SWI 0x9.... on ARM to syscalls, or MOVSD.REP on x86 to strcpy. Is there a way to tell Ghidra that a particular instruction should actually be decompiled into a function-call? Either via Sleigh or via the scripting API?

Example where a single instruction is decoded to multiple lines even though it could just be a strncpy/memcpy that I'd like to replace in the decompiler output:

Screenshot 2019-03-21 at 01 27 49

Thanks!

Question

Source

nezza

👍2

Most helpful comment

Currently this would need to be done in the sleigh processor module definition, which is probably not the correct place to put it. Simplification idioms like this could be built into the decompiler at some point.

For the syscalls and other similar cases of indirect calls we are looking to standardized a general solution.

emteere on 20 May 2019

👍4

All 4 comments

I do remember reading something about inline function in the documentation, maybe that would be a way?

Godzil on 26 Mar 2019

Unfortunately, this flag ("inline") is needed for another.
http://ghidra.re/courses/GhidraClass/Advanced/improvingDisassemblyAndDecompilation.pdf

Some special functions have side effects that the decompiler needs to know about for correct decompilation. You can handle this situation by marking them as inline.
If foo is marked as inline, calls to foo will be replaced by the body of foo during decompilation.

kITerE on 24 Apr 2019

I've just stumbled upon the same problem - I'd hope for a memcpy or something similar (like qmemcpy for 4byte aligned copies in IDA). Basically the reverse of the inline marker.